Description
The WebSocket functionality in Storybook’s dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.
Recommendation
Update the storybook package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.0.0-beta.0, < 10.2.10 >= 8.7.0-alpha.0, < 9.1.19 >= 8.1.0, < 8.6.17** Patched version(s): **10.2.10 9.1.19 8.6.17**
References
Related Issues
- Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket - CVE-2026-39363
- Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability - CVE-2026-44211
- webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins - CVE-2026-6402
- Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878
You might also like:
- Tags:
- npm
- storybook
Anything's wrong? Let us know Last updated on February 26, 2026